ugidfw(8)
NAME
- ugidfw - firewall-like access controls for file system ob
- jects
SYNOPSIS
ugidfw add subject [not] [uid uid] [gid gid] object [not] [uid uid] [gid gid] mode arswxn ugidfw list ugidfw set rulenum subject [not] [uid uid] [gid gid] object [not] [uid uid] [gid gid] mode arswxn ugidfw remove rulenum
DESCRIPTION
- The ugidfw utility provides an ipfw(8)-like interface to
- manage access to
file system objects by UID and GID, supported by the mac_bs - dextended(4)
mac(9) policy. - The arguments are as follows:
add Add a new ugidfw rule.- add subject [not] [uid uid] [gid gid] object [not]
- [uid uid] [gid
gid] mode arswxn
Add a new rule, automatically selecting therule number.
See the description of set for syntax information. - list Produces a list of all the current ugidfw
- rules in the sys
- tem.
- set rulenum subject [not] [uid uid] [gid gid] object
- [not] [uid
- uid] [gid gid] mode arswxn Add a new rule or modify an existing rule.
- The arguments
are as follows: - rulenum Rule number. Entries with a low
- er rule number
are applied first; placing themost frequently-matched rules at the beginning of the
list (i.e., lower-numbered) willyield a
slight performance increase. - subject [not] [uid uid] [gid gid]
- Subjects performing an operation
- must match
(or, if not is specified, must - not match) the
user and group specified by uid - and/or gid for
the rule to be applied. - object [not] [uid uid] [gid gid]
- Objects must be owned by (or, if
- not is specified, must not be owned by) the
- user and/or
group specified by uid and/or gid - for the rule
to be applied. - mode arswxn Similar to chmod(1), each charac
- ter represents
- an access mode. If the rule ap
- plies, the
specified access permissions are - enforced for
the object. When a character is - specified in
the rule, the rule will allow for - the operation. Conversely, not including
- it will cause
the operation to be denied. The - definitions
of each character are as follows:
a administrative operations
r read access
s access to file attributes
w write access
x execute access
n none - remove rulenum
- Disable and remove the rule with the specified
- rule number.
SEE ALSO
HISTORY
The ugidfw utility first appeared in FreeBSD 5.0.
AUTHORS
- This software was contributed to the FreeBSD Project by NAI
- Labs, the
Security Research Division of Network Associates Inc. under - DARPA/SPAWAR
contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA
CHATS
- research program.
- BSD February 24, 2004